5:11 p.m.
Hi Satosa Users List,
Firstly, I think my registration for this email list is still pending (or emails are
being swallowed by a spam filter somewhere…) is anyone able to approve? Otherwise, maybe
there’s simply no traffic :)
It comes and goes...
I’m hitting an issue when coming back from my
discovery service (PyFF) to Satosa. At the point where Satosa looks up the IdP/SP in PyFF
it fails with a bad SSL handshake. Satosa is running with Docker, as is PyFF.
Specific error:
requests.exceptions.SSLError:
HTTPSConnectionPool(host='pyff.cern.ch<http://pyff.cern.ch>', port=443): Max
retries exceeded with url: /entities/%7Bsha1%7Dbf0f1310cb092e88484def3c53613f8a10ebde3d
(Caused by SSLError(SSLError("bad handshake: Error([('SSL routines',
'tls_process_server_certificate', 'certificate verify
failed')],)",),))
I imagine this is because my PyFF instance is running with a certificate that is not
publicly trusted. I’ve manually added the certificate to the SSL store in the Satosa
docker container (and am able to connect with docker exec satosa_container openssl
s_client -connect pyff.cern.ch:443<http://pyff.cern.ch:443> ), but am still hitting
an exception in the Satosa code.
Has anyone come across this? Is there a way to specify additional trusted CAs, or request
that the MDQ lookup be more lenient (for testing purposes)?
I have not, usually because I deploy pyFF to serve MDQ data over HTTP
and not HTTPS because I require SATOSA to check the XML signature on the
returned data.
Have you considered doing the same, or do you have a hard requirement
for using HTTPS for MDQ?
Thanks,
Scott K